What is a Privacy Management Plan
DDSN Interactive (DDSN) is required to have a Privacy Management Plan (PMP) unde rthe Privacy APP Code 2017 (the APP Code).
A PMP is a scalable, risk‑based framework used to assess privacy maturity. DDSN has adopted this PMP from the Australian Attorney-General's Department
We review our PMP regularly and use it as a strategic planning document to:
- assess our privacy maturity level
- reflect on actions we have taken to increase our privacy maturity
- identify our privacy goals and maturity targets, and
- set out how we will meet our compliance obligations under the Australian Privacy Principles.
The Maturity Framework
We measure our privacy maturity using the Maturity Framework developed by the Office of the Australian Information Commissioner. The Maturity Framework consists of 21 attributes, which are broadly categorised into 5 elements:
- Governance and Culture
- Privacy Strategy
- Privacy Processes
- Risk and Assurance
- Data Breach Response.
Where an asterisk (*) is next to an attribute, it is a 'compliance attribute' and must have a minimum maturity level of 'Developing' to comply with the Privacy Act and the APP Code.
We assess our privacy maturity across each attribute against 4 maturity levels [1]:
Overall DDSN considers itself to be between Defined and Leader, we are 27 years old and have mature and established processes. We have well established understanding of privacy laws amongst the team, we educate our clients on matters of privacy and we ensure systems that we implement adhere to the principles of APP. We run a private cloud and have a policy of self-hosting information. We encrypt data at rest when it is PII in client systems. We run private AI services rather than use cloud AI services.
Privacy Risk Profile
In the course of preparing this PMP, we have considered various matters relevant to our privacy risk profile.
Privacy risk profile rationale
We self-assess as having a medium privacy risk profile based on the assessment process set out in OAIC guidance, which recommends consideration of an agency’s functions and activities, privacy influence and trust and the amount and sensitivity of the personal information being handled. An agency with a medium risk profile is one that provides some public services but handles less personal information, or that influences the privacy practices of other agencies.
We collect and hold a broad range of personal information, including sensitive information, relating to:
- individuals participating in programs and initiatives we coordinate or fund
- the management of grants, contracts and funding agreements
- criminal matters and case work, including extradition and mutual assistance
- legal matters in which the Australian Government Solicitor (AGS) is acting
- progressing statutory appointments, and
- employment and personnel matters for staff and contractors.
We also set privacy policy and depend on the trust of the community to meet our purposes.
Governance and Culture
|
|
Attribute
|
Current Level
|
Rationale/Commentary
|
Target Level
|
Steps to reach/maintain target level
|
|
Privacy Champion*
|
Leader
|
DDSN appoints Rob Wells as our Privacy Champion. As our hosting manager and CEO he has the mandate to promote a culture of privacy and implement the infrastructure.
A significant part of this is our Sovereign hosting and data policy that not only puts our information withing DDSN.net hosting, it also puts our customer data there wherever we are responsible for it and any SaaS platforms are acknowledged and on Australian jurisdiction.
|
Leader
|
Our Privacy Champion will continue to actively seek opportunities to improve our privacy culture.
|
|
Privacy Values
|
Leader
|
We have publicly committed to championing the Privacy Act, including the APPs through our Trust Centre https://ddsn.com/extranet/trust-center
DDSN often provides consultancy to clients to improve their privacy stance.
Our positive privacy culture is further demonstrated through strong staff participation in privacy awareness-raising activities, such as mandatory privacy training for all staff.
|
Leader
|
The Privacy Unit will continue to work with key internal stakeholders to further embed privacy values into our strategic planning documents, and to promote a culture of valuing and protecting personal information.
|
|
Privacy Officer*
|
Leader
|
Dr Kennedy acts as our Privacy Officer, ensuring customer data security is followed by the whole delivery team
|
Leader
|
Our Privacy Officer will continue to:
- Review practices, procedures and systems to identify innovative ways to achieve our privacy goals
- Collaborate with, and assist,our clients to meet the standards
|
|
Management and Accountability
|
Leader
|
All staff are required to adhere to privacy laws, policies, and practices.
Our Data Breach Response Team is responsible for compliance with the Notifiable Data Breach scheme.
|
Leader
|
The DDSN Team will continue to:
- Deliver and promote privacy advice, compliance and oversight within all our development and deployments
- Seek innovative ways to further embed privacy management and accountability in our organisation
- Support the Data Breach Response Team if required
|
|
Awareness
|
Defined
|
As part of its forward work plan, DDSN has a strategy to raise privacy awareness within the company and with our clients
DDSN runs quarterly training in Privacy policies in an all team meeting
Staff engage on privacy matters, and view privacy as a positive and valuable part of their work.
Staff have a strong knowledge of our privacy framework and know where to seek assistance on privacy related matters.
|
Leader
|
We will improve staff awareness via regular, targeted communications in meetings and with clients via a newsletter.
|
Privacy Strategy
|
|
Attribute
|
Current Level
|
Rationale/Commentary
|
Target Level
|
Steps to reach/maintain target level
|
|
Privacy Management Plan*
|
Leader
|
Our PMP is a strategic planning document used by DDSN key staff to measure our current privacy maturity and to identify opportunities for innovation and improvement.
Our PMP addresses how we handle personal information throughout the information lifecycle with specific consideration given to areas we assess as having greater risk.
We review our PMP regularly, and reflect on our planned outcomes when considering resourcing.
We promote a culture of transparency by publishing our PMP on our intranet.
|
Leader
|
We will continue to publish our PMP on our staff website and will promote the document to all staff
|
|
Inventory of Personal Information*
|
Developing
|
Our Personal Information Register (PIR) is a detailed inventory of our personal information holdings for DDSN and for each client. It documents discrete holdings, data flows, retention, de-identification and destruction policies, and storage and security controls (including details of internal IT systems and databases, and whether external third‑parties hold information). Our PIR also identifies the risk level associated with each holding.
The Privacy Unit considers the PIR in the context of our broader privacy goals and priorities, identifying opportunities to maximise the utility of our data while managing risk.
The Privacy Unit routinely seeks updates to the PIR as business functions change, especially with respect to client information as new functions are developed.
|
Leader
|
This is being developed Q3 2025
|
|
Data Quality Processes*
|
Leader
|
We are committed to data quality assurance, understanding that the quality of our data holdings directly underpins the performance of our functions and the attainment of our organisational objectives.
We continually seek out opportunities to harden systems that store our data holdings and to improve processes governing the collection, use and storage of personal information.
We willingly assist our clients to improve their data quality and processes by sharing our learnings.
|
Leader
|
The Hosting team will continue to improve and innovate our data quality processes to ensure that the personal information we hold is of the highest quality.
Our Account management team will continue to improve the understanding of our customers.
|
|
Information Security Processes
|
Leader
|
We have a well-established and positive information security culture.
We train staff to understand the commonalities and differences between privacy and security and we provide information about all relevant privacy and security policies and processes.
We integrate privacy and security requirements into our policies and procedures to limit duplication.
We adopt measures such as HAZOP on our hosting environments and archiving and access controls, in our procedures to limit privacy risks.
We welcome engagement with our clients on strengthening their information security and privacy functions.
|
Leader
|
DDSN will continue to work together to investigate mutual risks, pursue opportunities to further align privacy and security management into our hosting services, and to educate staff on their privacy and security responsibilities.
|
Privacy Processes
|
|
Attribute
|
Current Level
|
Rationale/Commentary
|
Target Level
|
Steps to reach/maintain target level
|
|
|
External Privacy Policy and Notices*
|
Defined
|
We use plain English in our privacy messaging (including our privacy policy and collection notices), and focus on transparency.
Our privacy documents are published on our website in various formats to promote accessibility.
DDSN remind customers to update and enhance their privacy statements and to place them on their website
Our messaging is consistent and easy to locate, usually provided at the point of contact.
|
Leader
|
We will continue to review and update our privacy policy and collection notices, both on our website and in our client contracts ensuring they address any changes to the way personal information is collected, used and stored.
DDSN will continue to work with their customers to do so also.
|
|
|
Internal Policies and Procedures
|
Defined
|
We have clear and comprehensive internal policies and procedures relating to our handling of personal information. We proactively review them to ensure their ongoing legal compliance, and relevance, in the context of changed community expectations, departmental functions, and identified risks and opportunities.
Our internal policies are well‑operationalised, and consistently followed by staff.
|
Leader
|
DDSN leadership will proactively seek staff and management contributions to our internal policies and will investigate new ways to design, distribute and embed our policies and procedures within the department.
DDSN leadership will ensure our policies and practices remain an integral part of the way we function and that they drive cultural and behavioural change and encourage privacy best‑practice.
|
|
|
Privacy Training*
|
Defined
|
We provide training to new staff on privacy and quarterly refreshers at all team meetings.
Our training is reviewed periodically.
DDSN provides privacy advice to our clients.
|
Leader
|
We will continue to focus on privacy training as a priority and elevate our offerings to integrate changing requirements in response to privacy reforms.
|
|
|
Privacy Impact Assessments*
|
Developing
|
DDSN undertake Data identification reviews in an adhoc fashion on behalf of clients.
|
Leader
|
DDSN will develop a Privacy Impact Assessment that they can undertake to improve consistency and uniformity.
|
|
|
Dealing with Suppliers
|
Defined
|
We have clear, documented processes for not using third parties to collect personal information on our behalf and require police checks for all staff who access personal information that we hold..
Our standard client contract includes confidentiality, secrecy and privacy requirements.
The Privacy Unit assists clience who engage third parties to ensure that they understand their APP requirements.
|
Leader
|
DDSN is developing privately hosted AI LLM to cater for this requirement.
|
|
|
Access and Correction*
|
Leader
|
We take an active approach to access and correction requests, individuals data removal from systems. We view them as an opportunity to demonstrate openness and transparency.
|
Leader
|
DDSN will continue to innovate and refine our approach to respond to, and support our clients to respond to, access and undertake correction requests or removal of personal data from systems we support.
|
|
|
Complaints and Enquiries
|
Leader
|
We are committed to maintaining open communication channels for the clients to make privacy enquiries and complaints.
Our decentralised approach to engaging with the clients on privacy matters through the Help Desk empowers individuals to choose whether to contact DDSN or their account manager.
Complaints and enquiries concerning the way in which DDSN handles personal information are directed to the DDSN CEO in the first instance.
We value the insights received through privacy complaints and enquiries, and use them to inform updates to our procedures, and policies, and address frequently asked questions.
|
Leader
|
We will continue to use the insights gained from any privacy complaints and enquiries to improve our response and enhance our privacy practices and policies.
|
|
Risk and Assurance
|
|
Attribute
|
Current Level
|
Rationale/Commentary
|
Target Level
|
Steps to reach/maintain target level
|
|
Risk Identification and Assessment
|
Defined
|
DDSN have integrated privacy into our wider risk management framework.
The DDSN team draws on a range of data and information sources (including complaints and enquiries, data breaches, our PIR and staff enquiries) to proactively identify, and respond to privacy risks.
|
Leader
|
DDSN team will continue to review and monitor information from complaints, data breaches and enquiries to better understand our key privacy risks.
The hosting team will promote the early identification of privacy risks as part of awareness raising activities.
|
|
Reporting and Escalation
|
Leader
|
We have a policy of immediately responding to privacy risks, issues, undertake rectification and improvement activities particularly to code quality, documenting lessons learned, including from data breach (penetration) testing undertaken by clients or third party companies.
DDSN maintains records of compliance activities, data breaches and complaints.
We are transparent with our stakeholders on reporting and escalation practices, procedures and systems.
|
Leader
|
The CEO endorses key privacy management documents, including the PMP.
|
|
Assurance Model
|
Defined
|
We are responsive and act with purpose to resolve privacy incidents or breaches, which includes establishing appropriate controls and implementing changes to policy and processes as required.
We maintain strategic oversight of privacy issues likely to impact the DDSN and our clients, supported by regular internal audits of our personal information holdings.
We gauge staff understanding of their privacy obligations through our privacy awareness raising all team training sessions.
|
Leader
|
DDSN will continue to seek opportunities to innovate and develop our assurance activities.
DDSN will continue to collaborate with our clients to identify and implement improvements.
|
Data Breach Response
|
|
Attribute
|
Current Level
|
Rationale/Commentary
|
Target Level
|
Steps to reach/maintain target level
|
|
Data Breach Response Plan
|
Defined
|
Our Data Breach Response Plan (DBRP) has been designed to empower staff to identify and respond to data breaches. It clearly defines response personnel, processes and escalation paths to contain, assess and respond to data breaches.
The Privacy Unit routinely tests our DBRP with business areas and key stakeholders involved in data breach response.
The Privacy Unit regularly updates our DBRP to reflect lessons learned and changed commercial service offering.
We promote a culture of transparency by publishing our DBRP on our intranet and in our Trust Centre for clients.
We are willing to assist other companies (our clients) to increase their data breach response capabilities.
|
Leader
|
DDSN will add routine test to our DBRP with staff involved in data breach response.
DDSN will continue to embed lessons learned from DBRP testing and will implement identified prevention measures to improve our hosting environment and our response capabilities.
The Privacy Champion, will continue to embed a strong culture of openness and trust, encouraging staff to come forward as soon as they become aware of a suspected, or actual, data breach.
|
|
Data Breach Notification*
|
Leader
|
We view notification as an opportunity to mitigate serious harm and to build trust and transparency with our stakeholders.
Our Data Breach Response Team is responsible for compliance with the Notifiable Data Breach scheme.
Our DBRP and Data Breach Response Team guide include clear processes and procedures that support consistent and comprehensive assessment of suspected, or actual, data breaches. The requirements of the Notifiable Data Breach scheme are clearly articulated.
Our Data Breach Response Team guide outlines appropriate notification options including:
- Notifying all affected individuals
- Notifying those affected individuals at risk of serious harm
- Publishing a notification statement to draw the attention of affected individuals at risk of serious harm.
|
Leader
|
DDSN will continue to actively monitor and respond to suspected, or actual data breaches and uphold our responsibilities under the Notifiable Data Breach scheme.
|
Document Control and Revision History
| Version (Date) |
Version No |
Author |
Checked |
Approved |
Amendments |
| 10/08/2022 |
1.0 |
D Kennedy |
|
D Kennedy |
Document Created |
| 19/08/2025 |
1.1 |
D Kennedy |
|
D Kennedy |
Updated minor wording
Added Control & Revision table
|